Data protection regulation and practice may seem a long way from climate change initiatives but, following COP 26 closely over the last few weeks, I couldn't help pondering how one may be able to help the other. Below I have set out some lessons for climate change policy from the world of GDPR some of which I share at this week's Society for Computers and Law Annual Conference 'Tech Law in a Sustainable Civil Society':
1) Minimise.
A fundamental principle of GDPR is to minimise personal data to what is needed for a defined purpose. All sounds very sensible at least from this minimalism addict. It also draws close parallels with the 'Reduce' mantra of sustainability. Minimising data use even has an immediate positive climate change impact. In the wake of GDPR, it was found that the decrease in unwanted marketing emails and tracking pixels on websites, for example, resulted in an instant reduction in Co2 emissions. In the new race to gather and use data for climate change initiatives, let's try and remember that, even if this data doesn't comprise personal data, the storage and collection of that data itself may carry a Co2 burden. Let's collect good and purposeful, defined data, absolutely, but not mass data at all costs. 'Data as the new oil' sounds particularly unhelpful here as a mantra when you think about it!
2) Transparency.
Companies are required to explain to individuals how their personal data is processed and we are beginning to see this happen in sustainable supply chain initiatives but does this go far enough? Do individuals really understand the climate change impact of their decisions outside of more obvious actions such as energy use or transport? Take for example, the new popularity in NFTs - if an individual 'acquiring' such an NFT was given more information about the carbon footprint involved in the blockchain technology supporting it would they always make the same decisions?
3) Balancing interests.
Data practitioners are well drilled in considering new activities and innovations by balancing competing interests of individuals and their right to privacy against rights of the company and other stakeholders. Ethics more generally is beginning to be included in corporate decisions, particularly in the context of AI but what if climate change impact was another fundamental built in required interest to balance and we became as adept at doing so as filing out our 3 step legitimate interests assessments?
4) Accountability.
GDPR has some good (see the principle of balancing interests above) but also some bad (see pretty much every paperwork requirement) lessons here. As one of the more mature governance frameworks around, even at 3 years old, GDPR will inevitably pay a leading role in the 'G' part of ESG programmes in companies. But let's please take the good bits only. If we end up with regimes which rely on completing forms and staying on top of an increasing admin burden, we may lose sight of what should be the focus of our resources and energy to have a real impact.